Sulkta-OSS/adacam-api
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Clean Python Flask replacement for odc-api (Hivemapper Bee liberation)
10 commits 2 branches 1 tag 60 KiB
Find a file
Cobb 22fba16c0c
All checks were successful
gitleaks / scan (push) Successful in 35s
Details
security: random per-device API token + one-shot pairing window (CRIT auth-bypass fix) 
The bearer token was sha256(serial)[:32] and the serial is served unauthenticated, so anyone reaching :5000 could compute it and take the device over. Now: token is a random secrets.token_urlsafe(32) at /data/adacam/api_token (never derived from serial); /pair only returns it during a one-shot pairing window (/data/adacam/pairing_open, opened by adacam-pair or install.sh, closes after one pair); require_auth uses hmac.compare_digest. NEEDS ON-DEVICE PAIRING TEST before merge to main — see SECURITY-PAIRING.md.
2026-06-13 09:48:29 -07:00
.forgejo/workflows ci: add gitleaks workflow (Sulkta canonical) 2026-05-27 22:14:29 -07:00
adacam_api security: random per-device API token + one-shot pairing window (CRIT auth-bypass fix) 2026-06-13 09:48:29 -07:00
bin security: random per-device API token + one-shot pairing window (CRIT auth-bypass fix) 2026-06-13 09:48:29 -07:00
systemd Initial commit: adacam-api v1.0.0 2026-03-14 08:13:04 -07:00
.gitignore Initial commit: adacam-api v1.0.0 2026-03-14 08:13:04 -07:00
install.sh security: random per-device API token + one-shot pairing window (CRIT auth-bypass fix) 2026-06-13 09:48:29 -07:00
LICENSE audit follow-ups: deps floor, LICENSE, gate /debug/redis-keys 2026-05-27 09:22:12 -07:00
main.py Initial commit: adacam-api v1.0.0 2026-03-14 08:13:04 -07:00
README.md Rotate AdaMaps ingest+read keys (env-required, no inline default) 2026-05-27 09:17:22 -07:00
requirements.txt audit follow-ups: deps floor, LICENSE, gate /debug/redis-keys 2026-05-27 09:22:12 -07:00
SECURITY-PAIRING.md security: random per-device API token + one-shot pairing window (CRIT auth-bypass fix) 2026-06-13 09:48:29 -07:00

README.md

adacam-api

Clean Python Flask replacement for Hivemapper's odc-api — a 434k-line Node.js monolith with a filed CVE. This service runs on the Hivemapper Bee (HDC-S) dashcam as part of the adacam liberation stack.

What it does

  • Serves API endpoints for the Varroa Android app and adamaps-forwarder
  • Reads GPS data from Redis (GNSSFusion30Hz)
  • Stores landmark detections in SQLite
  • Forwards detections to AdaMaps API (with offline queuing)

Endpoints

Method Path Description
GET /api/1/landmarks/last/{N} Last N detections
POST /api/1/landmarks Ingest new detection
GET /api/1/gnssConcise/latestValid Current GPS fix
GET /api/1/status Device status
GET /api/1/deviceinfo Device identity
GET /api/1/recording/frames/latest Latest frame path

Note: /api/1/cmd is intentionally NOT implemented — that was the CVE.

Installation

./install.sh

This will:

  1. Copy files to /opt/adacam/
  2. Install Python dependencies
  3. Enable and start the systemd service
  4. Generate a device ID on first run

Configuration

Config file: /data/adacam/config.json

{
  "device_id": "auto-generated UUID",
  "adamaps_key": "<your-adamaps-ingest-key>",
  "adamaps_api": "https://api.adamaps.org",
  "ap_interface": "wlp1s0f0",
  "tunnel_host": "",
  "tunnel_user": "",
  "tunnel_port": 2222
}

Requirements

  • Python 3.8+
  • Redis (for GPS/IMU data)
  • Flask, redis-py, requests

License

MIT